If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

You say a student 'probably' obtained Admin rights, why do you think this? ie: what made you assume that they has Admin rights?

You say your running NT with Service pack 5, why not Service pack 6a and also what patch's have been applied to these machines (if any)? <-- note this is a big opportunity for problems if not completed.

If the machines bios isn't secured (and / or the 1st boot device is floppy) then access would have been easy, booting a linux floppy with NTFS utils would allow them to reset the Admin password or to copy the SAM for later use.

I suggest ..in addition to what has been sugested already that you reset ALL passwords on the machine. He could have used the erd for the machine and reset it to a prior password..then put it a backdoor admin account and changed it back. Or he could have run lophtcrack on the sam on the erd. He could also have used one of these tools here:

A man on a mission?

You need a plan, man!
You need an emergency response plan that you practice and know. There are all SORTS of things you should have done immediately when you realized there may have been a problem. First of all, all passwords should be changed WEEKLY, and be alphnumeric+symbols and @ LEAST 8 characters long, PERIOD. This is VERY important. You should also have your admin computers physically secure and on a separate vlan than curriculum computers, so even if a password were obtained, an offender would have to also circumvent physical security restraints in order to get on a computer he could use the password to log on to.
Find out ALL accounts that may have been accessing or 'probing' your computer within the hour you suspect the student got it, and if he was @ school during the time, what class was he in? There should be no fear of remote attack, really, though, because your districts firewall should block out incoming traffic with a double firewall, and have all public servers on the public backbone.

(My teacher is yelling @ me so I got's to go for now, hope this helped somewhat).

already mentioned above by others:
- He could have taken the SAM from the NT repair directory where NT stores a copy of the SAM or from some ERD disk and run a password 'auditing tool' legal talk for 'cracker tool' on your SAM.
- With a linux boot disk and NTFS tools (allowing to read the partitions, inclusif the ones that are normally protected by NT with a regular boot) he could easily gain access to your SAM's.

Change passwords weekly is not easy to implement, the risk that users choos e nearly the same pwd every week reduces your security. It's better to change passwords every month and require that it's entirly different. You need to consider both security and user friendly issues when you consider to do something about it. So definitly go for a (realistic) plan.